Changes

IPSec Tunnel w/CA Certs Configuration (view source)

Revision as of 00:10, 6 July 2024

45 bytes added ,  00:10
no edit summary
Line 32: Line 32:  
----
 
----
    +
First we will generate our CA cert. Login to the router's WebUI and go to '''System → Administration → Certificates'''.
   −
====Generating CA Cert====
+
====Certificates Generation====
 
----
 
----
    
First we will generate our CA cert.
 
First we will generate our CA cert.
   −
* Login to the router's WebUI and go to '''System → Administration → Certificates'''.  
+
Follow the steps below to generate a CA certificate.
 +
 
 
The following are the settings used for this example, but values should be changed depending on your specific needs:
 
The following are the settings used for this example, but values should be changed depending on your specific needs:
   −
- File Type: '''''CA'''''
+
1. File Type: '''''CA'''''
   −
- Key Size: '''''1024'''''
+
2. Key Size: '''''1024'''''
   −
- Name (CN): '''''CAIPSec''''' // This can be whatever name you choose.
+
3. Name (CN): '''''CAIPSec''''' // This can be whatever name you choose.
   −
- Subject Information: '''''Toggled On''''' // It is recommended to fill out at least Country Code, State/Province and Organization Name.
+
4. Subject Information: '''''Toggled On''''' // It is recommended to fill out at least Country Code, State/Province and Organization Name.
   −
- Country Code (CC): '''''US''''' // Fill your country code
+
5. Country Code (CC): '''''US''''' // Fill your country code
   −
- State or Province Name (ST): '''''TX''''' // Fill your State/Province name
+
6. State or Province Name (ST): '''''TX''''' // Fill your State/Province name
   −
- Locality Name (L): '''''CAIPSec''''' // Fill your locality name, or at least a recognizable name for your CA
+
7. Locality Name (L): '''''CAIPSec''''' // Fill your locality name, or at least a recognizable name for your CA
   −
- Organization Name (O): '''''CAIPSec''''' // Fill your Organization name
+
8. Organization Name (O): '''''CAIPSec''''' // Fill your Organization name
   −
- Organizational Unit Name (OU): '''''CAIPSEC''''' // Fill your specific Unit Name
+
9. Organizational Unit Name (OU): '''''CAIPSEC''''' // Fill your specific Unit Name
   −
- '''''Generate''''' Certificate
+
10. '''''Generate''''' Certificate
 
<br>
 
<br>
   Line 72: Line 74:     
<br>
 
<br>
Next we need to sign the CAIPSec CA. We will be Self-Signing our own CA.
  −
Under the '''Certificate signing''' configure as follows:
     −
- Signed Certificate Name: '''''CAIPSec'''''
+
Follow the steps below to generate a RUT1 client certificate.
 +
 
 +
The following are the settings used for this example, but values should be changed depending on your specific needs:
 +
 
 +
1. File Type: '''''Client'''''
 +
 
 +
2. Key Size: '''''1024'''''
 +
 
 +
3. Name (CN): '''''RUT1''''' // This can be whatever name you choose.
 +
 
 +
4. Subject Information: '''''Toggled On''''' // It is recommended to fill out at least Country Code, State/Province and Organization Name.
   −
- Type of Certificate to Sign: '''''Certificate Authority'''''
+
5. Country Code (CC): '''''US''''' // Fill your country code
   −
- Certificate Request File: '''''CAIPSec.req.pem'''''
+
6. State or Province Name (ST): '''''TX''''' // Fill your State/Province name
   −
- Days Valid: '''''3650''''' // For this example we will use 3650 days, but you can configure this to be longer if needed. I would caution against too long of a CA.
+
7. Locality Name (L): '''''RUT1''''' // Fill your locality name, or at least a recognizable name for your CA
   −
- Certificate Authority Key: '''''CAIPSec.key.pem'''''
+
8. Organization Name (O): '''''RUT1''''' // Fill your Organization name
   −
- Leave the rest of the configuration default
+
9. Organizational Unit Name (OU): '''''RUT1''''' // Fill your specific Unit Name
   −
- '''''Sign'''''
+
10. '''''Generate''''' Certificate
 
<br>
 
<br>
   −
[[File:IPSec CA Cert Signing.png|none|none]]
+
[[File:IPSec RUT1 Cert Generating.png|none|none]]
    
<br>
 
<br>
After you hit *Sign* the CA cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a CAIPSec.cert.pem under *Certificates*.
+
After you hit Generate the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT1.key.pem under *Keys* and a RUT1.req.pem under *Certificate requests*.
 
<br>
 
<br>
   −
[[File:IPSec CA Cert Generating Confirmation2.png|none|none]]
+
[[File:IPSec RUT1 Cert Generating Confirmation.png|none|none]]
 +
 
 
<br>
 
<br>
   −
====Generating Rut1 Client Cert====
+
We will still generate RUT2 certs on the RUT1 device, so that we can sign our certs with the CA created earlier.
----
+
Later we will download the certs required for RUT2 and import them there.
 +
 
 +
Follow the steps below to generate a RUT2 client certificate.
   −
* Login to the router's WebUI and go to '''System → Administration → Certificates'''.
   
The following are the settings used for this example, but values should be changed depending on your specific needs:
 
The following are the settings used for this example, but values should be changed depending on your specific needs:
   −
- File Type: '''''Client'''''
+
1. File Type: '''''Client'''''
   −
- Key Size: '''''1024'''''
+
2. Key Size: '''''1024'''''
   −
- Name (CN): '''''RUT1''''' // This can be whatever name you choose.
+
3. Name (CN): '''''RUT2''''' // This can be whatever name you choose.
   −
- Subject Information: '''''Toggled On''''' // It is recommended to fill out at least Country Code, State/Province and Organization Name.
+
4. Subject Information: '''''Toggled On''''' // It is recommended to fill out at least Country Code, State/Province and Organization Name.
   −
- Country Code (CC): '''''US''''' // Fill your country code
+
5. Country Code (CC): '''''US''''' // Fill your country code
   −
- State or Province Name (ST): '''''TX''''' // Fill your State/Province name
+
6. State or Province Name (ST): '''''TX''''' // Fill your State/Province name
   −
- Locality Name (L): '''''RUT1''''' // Fill your locality name, or at least a recognizable name for your CA
+
7. Locality Name (L): '''''RUT2''''' // Fill your locality name, or at least a recognizable name for your CA
   −
- Organization Name (O): '''''RUT1''''' // Fill your Organization name
+
8. Organization Name (O): '''''RUT2''''' // Fill your Organization name
   −
- Organizational Unit Name (OU): '''''RUT1''''' // Fill your specific Unit Name
+
9. Organizational Unit Name (OU): '''''RUT2''''' // Fill your specific Unit Name
   −
- '''''Generate''''' Certificate
+
10. '''''Generate''''' Certificate
 
<br>
 
<br>
   −
[[File:IPSec RUT1 Cert Generating.png|none|none]]
+
[[File:IPSec RUT2 Cert Generating.png|none|none]]
    
<br>
 
<br>
After you hit Generate the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT1.key.pem under *Keys* and a RUT1.req.pem under *Certificate requests*.
+
After you hit Generate the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT2.key.pem under *Keys* and a RUT2.req.pem under *Certificate requests*.
 
<br>
 
<br>
   −
[[File:IPSec RUT1 Cert Generating Confirmation.png|none|none]]
+
[[File:IPSec RUT2 Cert Generating Confirmation.png|none|none]]
   −
<br>
+
====Signing Certificates====
 +
----
   −
Next we need to sign the RUT1 cert.
+
Next we need to sign the CAIPSec CA. We will be Self-Signing our own CA.
Under the `Certificate signing` configure as follows:
+
Under the '''Certificate signing''' configure as follows:
 
  −
- Signed Certificate Name: '''''RUT1'''''
     −
- Type of Certificate to Sign: '''''Client Certificate'''''
+
1. Signed Certificate Name: '''''CAIPSec'''''
   −
- Certificate Request File: '''''RUT1.req.pem'''''
+
2. Type of Certificate to Sign: '''''Certificate Authority'''''
   −
- Days Valid: '''''3650'''''
+
3. Certificate Request File: '''''CAIPSec.req.pem'''''
   −
- Certificate Authority File: '''''CAIPSec.cert.pem'''''
+
4. Days Valid: '''''3650''''' // For this example we will use 3650 days, but you can configure this to be longer if needed. I would caution against too long of a CA.
   −
- Certificate Authority Key: '''''CAIPSec.key.pem'''''
+
5. Certificate Authority Key: '''''CAIPSec.key.pem'''''
   −
- Leave the rest of the configuration alone
+
6. Leave the rest of the configuration default
   −
- '''''Sign'''''
+
7. '''''Sign'''''
 
<br>
 
<br>
   −
[[File:IPSec RUT1 Cert Signing.png|none|none]]
+
[[File:IPSec CA Cert Signing.png|none|none]]
    
<br>
 
<br>
After you hit *Sign* the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT1.cert.pem under *Certificates*.
+
After you hit *Sign* the CA cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a CAIPSec.cert.pem under *Certificates*.
 
<br>
 
<br>
   −
[[File:IPSec RUT1 Cert Manager Check.png|none|none]]
+
[[File:IPSec CA Cert Generating Confirmation2.png|none|none]]
 
   
<br>
 
<br>
   −
====Generating Rut2 Client Cert====
+
Next we need to sign the RUT1 cert.
----
+
Under the `Certificate signing` configure as follows:
   −
We will still generate RUT2 certs on the RUT1 device, so that we can sign our certs with the CA created earlier.
+
1. Signed Certificate Name: '''''RUT1'''''
Later we will download the certs required for RUT2 and import them there.
     −
* Login to the router's WebUI and go to '''System → Administration → Certificates'''.
+
2. Type of Certificate to Sign: '''''Client Certificate'''''
The following are the settings used for this example, but values should be changed depending on your specific needs:
     −
- File Type: '''''Client'''''
+
3. Certificate Request File: '''''RUT1.req.pem'''''
   −
- Key Size: '''''1024'''''
+
4. Days Valid: '''''3650'''''
   −
- Name (CN): '''''RUT2''''' // This can be whatever name you choose.
+
5. Certificate Authority File: '''''CAIPSec.cert.pem'''''
   −
- Subject Information: '''''Toggled On''''' // It is recommended to fill out at least Country Code, State/Province and Organization Name.
+
6. Certificate Authority Key: '''''CAIPSec.key.pem'''''
   −
- Country Code (CC): '''''US''''' // Fill your country code
+
7. Leave the rest of the configuration alone
   −
- State or Province Name (ST): '''''TX''''' // Fill your State/Province name
+
8. '''''Sign'''''
 +
<br>
   −
- Locality Name (L): '''''RUT2''''' // Fill your locality name, or at least a recognizable name for your CA
+
[[File:IPSec RUT1 Cert Signing.png|none|none]]
   −
- Organization Name (O): '''''RUT2''''' // Fill your Organization name
+
<br>
 
+
After you hit *Sign* the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT1.cert.pem under *Certificates*.
- Organizational Unit Name (OU): '''''RUT2''''' // Fill your specific Unit Name
  −
 
  −
- '''''Generate''''' Certificate
   
<br>
 
<br>
   −
[[File:IPSec RUT2 Cert Generating.png|none|none]]
+
[[File:IPSec RUT1 Cert Manager Check.png|none|none]]
    
<br>
 
<br>
After you hit Generate the Client cert you should see a notification pop-up near the top right, and if you select Certificates Manager you should see a RUT2.key.pem under *Keys* and a RUT2.req.pem under *Certificate requests*.
  −
<br>
  −
  −
[[File:IPSec RUT2 Cert Generating Confirmation.png|none|none]]
      
<br>
 
<br>
Line 208: Line 210:  
Under the `Certificate signing` configure as follows:
 
Under the `Certificate signing` configure as follows:
   −
- Signed Certificate Name: '''''RUT2'''''
+
1. Signed Certificate Name: '''''RUT2'''''
   −
- Type of Certificate to Sign: '''''Client Certificate'''''
+
2. Type of Certificate to Sign: '''''Client Certificate'''''
   −
- Certificate Request File: '''''RUT2.req.pem'''''
+
3. Certificate Request File: '''''RUT2.req.pem'''''
   −
- Days Valid: '''''3650'''''
+
4. Days Valid: '''''3650'''''
   −
- Certificate Authority File: '''''CAIPSec.cert.pem'''''
+
5. Certificate Authority File: '''''CAIPSec.cert.pem'''''
   −
- Certificate Authority Key: '''''CAIPSec.key.pem'''''
+
6. Certificate Authority Key: '''''CAIPSec.key.pem'''''
   −
- Leave the rest of the configuration alone
+
7. Leave the rest of the configuration alone
   −
- '''''Sign'''''
+
8. '''''Sign'''''
 
<br>
 
<br>
  
Retrieved from "https://wiki.teltonika-networks.com/view/Special:MobileDiff/128493...128599"

Navigation menu